Robin McCorkell
2014-Nov-03 15:09 UTC
CanonicalizeHostname issues with multiple config blocks
When using the CanonicalizeHostname and CanonicalDomains directives, the options parsed before the hostname is canonicalized cannot be overridden by more specific blocks after canonicalization. For example: CanonicalizeHostname yes CanonicalDomains foo.bar.com Host *.foo.bar.com GSSAPIAuthentication yes Host * GSSAPIAuthentication no If connecting to 'srv.foo.bar.com', then GSSAPI authentication is enabled. But connecting to 'srv', even though it is canonicalized correctly to ' srv.foo.bar.com', does not enable GSSAPI authentication as the 'Host *' block is parsed before canonicalization and cannot be then overridden by the more specific block. This behaviour was tested with OpenSSH 6.7 on Arch Linux. Thanks, Robin McCorkell The Linux Schools Project http://www.linuxschools.com https://github.com/the-linux-schools-project
Damien Miller
2014-Nov-04 23:59 UTC
CanonicalizeHostname issues with multiple config blocks
On Mon, 3 Nov 2014, Robin McCorkell wrote:> When using the CanonicalizeHostname and CanonicalDomains directives, the > options parsed before the hostname is canonicalized cannot be overridden by > more specific blocks after canonicalization. For example: > > CanonicalizeHostname yes > CanonicalDomains foo.bar.com > > Host *.foo.bar.com > GSSAPIAuthentication yes > > Host * > GSSAPIAuthentication no > > If connecting to 'srv.foo.bar.com', then GSSAPI authentication is enabled. > But connecting to 'srv', even though it is canonicalized correctly to ' > srv.foo.bar.com', does not enable GSSAPI authentication as the 'Host *' > block is parsed before canonicalization and cannot be then overridden by > the more specific block.That's expected. With CanonicalizeHostname enabled, the config file is parsed twice: once with the short name (and to pick up the CanonicalizeHostname directive itself) and then again with the canonicalised name. OpenSSH 6.8 will offer more control here using some extensions to the Match keyword: a new "canonical" criteria that causes it to match only during the second pass: CanonicalizeHostname yes CanonicalDomains foo.bar.com Match canonical *.foo.bar.com GSSAPIAuthentication yes Match canonical * GSSAPIAuthentication no Sorry I didn't think of this sooner :/ -d